The Security Scrutinizer with Howard Anderson

Will 'Tiger Team' Have Teeth?

Will 'Tiger Team' Have Teeth?

And it remains to be seen whether the group, announced as a short-term effort, could morph into a permanent team open to changing its membership to meet changing needs.

But if the group successfully spearheads some new federal policies this summer, regulators will face pressure to keep this new advisory effort going.

If the group successfully spearheads some new federal policies this summer, regulators will face pressure to keep this advisory effort going. 

Joy Pritts, appointed earlier this year as the first chief privacy officer in the Office of the National Coordinator for Health Information Technology, announced on May 26 plans to form the new team. She said it was designed to centralize and intensify ongoing, highly fragmented efforts to define policies.

Before the team was formed, two workgroups advising ONC were working separately on privacy and security issues, and progress was slow.

The tiger team is starting off with a narrow mission of focusing on policies to guide health information exchanges. Its first draft recommendations, in fact, only deal with policies for the simplest exchanges using the emerging NHIN Direct standards.

(The team will present those recommendations to the HIT Policy Committee June 25 in a teleconference that's open to the public.)

Next on the tiger team's priority list is what it's calling a "framework" of security guidelines for any form of health information exchange, from the simplest one-to-one transactions to statewide or even national efforts. Discussion of an early draft of the framework has already begun.

Team members are meeting frequently and devoting long hours to studying the tedious details involved. These volunteers deserve a lot of credit for their work.

After a particularly detailed conversation during their June 15 meeting about the minutia involved in giving patients access to their records via an HIE, Pritts reminded members they can't afford to get bogged down. She noted that ONC is relying on them to "set guard rails" for broad policy recommendations for HIEs before diving into every single nitty-gritty detail. And that's good advice.

In recommending guard rails, the tiger team should take a strong stand on encryption. Earlier, the Privacy and Security Workgroup of the HIT Policy Committee advocated mandating encryption for "one-to-one exchange from one provider to another for treatment purposes," even if the exchange is direct and not through an intermediary, such as an HIE.

That's a good recommendation. But why not mandate encryption for all messages handled by all HIEs, whether at the local, regional, state or even national level?

Once the tiger team completes its work this summer on HIE-related recommendations, we'd like to see it continue to tackle other thorny security issues, including, for example, security standards for personal health records controlled by patients.

If that happens, representatives of the many other organizations that have a hand in healthcare privacy and security policies -- including ONC, the Department of Health and Human Services, the HHS Office for Civil Rights, the Department of Veterans Affairs, the Department of Defense and others -- should be invited to participate in the team's meetings. That could help build a consensus and speed up development of more "guard rails."

We hope the tiger team's recommendations have teeth, and that federal regulators, in turn, take quick action to clearly spell out the privacy and security guidelines that HIEs, as well as hospitals and clinics that are adopting electronic health records, can put to use.

After all, if consumers don't trust that their records are secure, the multi-billion dollar federal effort to make EHRs ubiquitous could prove to be a colossal waste of money.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.